Changes in technology — including the increased use of commercially-available encryption by criminals and terrorists — has partly made it harder for law enforcement and intelligence agencies to conduct certain types of surveillance, a respected U.S. Internet institute has admitted.
However, the authors of the report by Harvard’s Berkman Center for Internet and Society doubt the world is “going dark,” as some government officials claim.
While the report, titled “Don’t Panic,” doesn’t offer a solution to how much access police and other agencies should have to encrypted voice, text and video communications of citizens, it does conclude that “communications in the future will neither be eclipsed into darkness nor illuminated without shadow.” Rather, it says, there will more likely be more opportunities for surveillance, not less.
“Market forces and commercial interests will likely limit the circumstances in which companies will offer encryption that obscures user data from the companies themselves, and the trajectory of technological development points to a future abundant in unencrypted data, some of which can fill gaps left by the very communication channels law enforcement fears will “go dark” and beyond reach.”
The “combination of technological developments and market forces” will “ensure that the government will gain new opportunities to gather critical information from surveillance.”
The report comes amid public debate as some law enforcement and intelligence agencies around the world are demanding back doors to commercially-available security software to ensure they can access communications from potential threats. In a speech last November RCMP Commissioner Bob Paulson complained child porn rings “can encrypt their communications and they can exploit children for sexual purposes and it’s a little harder to get at them from the police point of view.”
But following disclosures by former NSA contractor Edward Snowden of the capabilities of some Western intelligence agencies to intercept communications major companies began to act. Apple included default encryption of the password-protected contents of its devices in iOS 8.2, and Google enabled device encryption by default with Android 5.0. Web sites like Yahoo Mail followed, but what worries police is that the encryption on some devices and services use keys solely in the possession of the device holders, so law enforcement can’t get hold of them through court orders to service providers or vendors.
Quickly the FBI, the CIA and other agencies went to the U.S. Congress to demand legislation forcing security companies to build backdoors into their software that police and intelligence agencies can access when needed. In Britain the government introduced a draft bill that would make it easier to get at encrypted communications. (To read the entire bill click here.)
Countering them are cybersecurity experts who say a backdoor runs the risk of being exploited by hackers as well as cops. As encryption expert and project member Bruce Schneier wrote in an appendix to the report, “If the FBI can eavesdrop on your text messages or get at your computer’s hard drive, so can other governments. So can criminals. So can terrorists.”
While this debate is being led in the U.S. it affects Canada, where software companies to create or include encryption in their products. The federal government is also involved. although neither the former Conservative nor the current Liberal governments have taken public stands on creating backdoors. For reference last August the University of Toronto’s Citizen Lab wrote this paper on what it called Canada’s weakening of communications encryption.
After hearing from all sides the Berkman report’s authors conclude
• End-to-end encryption and other technological architectures for obscuring user data are unlikely to be adopted ubiquitously by companies, because the majority of businesses that provide communications services rely on access to user data for revenue streams and product functionality, including user data recovery should a password be forgotten;
• Software ecosystems tend to be fragmented. In order for encryption to become both widespread and comprehensive, far more coordination and standardization than currently exists would be required;
• Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance. The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the fact access. Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel;
• Metadata is not encrypted, and the vast majority is likely to remain so. This is data that needs to stay unencrypted in order for the systems to operate: location data from cell phones and other devices, telephone calling records, header information in e-mail, and so on. This information provides an enormous amount of surveillance data that was unavailable before these systems became widespread;
• These trends raise novel questions about how we will protect individual privacy and security in the future. Today’s debate is important, but for all its efforts to take account of technological trends, it is largely taking place without reference to the full picture.